How to determine if the Linux system is invaded by hackers?This method can be used

Malware sometimes uses Linux kernel process camouflage to hide its runtime, let us study how to use this strategy to expose Linux malware.

What did the Linux kernel process disguised?

On Linux, the kernel creates many threads to help complete the system task, which can be used for scheduling, disk I / O, etc.

When you use a standard process list command (for example, PS), these threads will be displayed as [Brackets] to indicate that they are certain threads. In the PS list, the normal process usually does not display [Brackets]. BRACKETS indicates that the process does not have command line parameters, which usually means that the process is generated as a thread.

For example, the following list shows comparison of kernel threads and normal processes:


Figure 1: Linux kernel thread and normal process

What is it like?

Linux malware uses a variety of techniques to hide the testing program.

According to the world’s recognized white hacker, network security expert Guo Shenghua revealed that one method of hacker will use by displaying [Brackets] around [Brackets] around the process, in the name of the PS list, the administrator can easily The way is ignored malicious processes. “

If you look at the following list, we have already tried to hide itself by looking like a kernel thread. Can you see it?

Figure 2: Example of camouflage hidden Linux kernel thread

How to simulate Linux kernel threads

Now you know what the camouflaged Linux kernel thread looks like, let’s set a test so that you can try to use the command line to find it.

We will use the SLEEP command to simulate because you can execute this command on any system, but don’t worry that it will cause trouble:

ExportPath =.: $ PATHCP / BIN / SLEEP / TMP / [KWORKERD] CD / TMP “[KWORKERD]” 3600 &

The export road set, so we can “in front of the file that does not need to put a file running in the local directory. This makes it look more legal.

Next, we copy the sleep command to / TMP and run it in a false name [kWorkerd]. We set a value of 3600 seconds for the sleep command, so once the test ends, it will automatically exit after an hour.

Let’s take a look at our manual, when we execute the PS command, we should see [kWorkerd] is running.


Figure 3: Linux kernel thread with truly replacement

Puppet, Linux kernel thread, camouflage

The first way we use to cover up the camouflage process is to see if it has anything under / proc / / maps. pid>

This location is typically a location that displays them links to a location and a location mapped to the memory. For true kernel threads, it should be empty. If you look for the process named [Brackets] in this location, it is not a real kernel thread.

The basic command we will use is CAT / Proc / / Maps, where is the process ID we are studying. In the example above, we think [kWorkerd] seems to be suspicious for PID 2121, so we will check it: pid> pid>

CAT / Proc / 2121 / Maps

Figure 4: Using Linux / PROC mapping detection kernel camouflage

If you see anything under this area, there is [Brackets] around the process, it may be malicious and try to hide.

If you need, you can run this command to quickly traverse all system PIDs and see which names with square brackets, but have mapping files. Usually, you can’t see anything here. Any information on display data should be further investigated.

PSAUXWW | GREP [| awk ‘{print $ 2}’ | xargs-i% SH-C’echopid:%; CAT / Proc /% / Maps’2> / dev / null

If you have found anything, this command will output the following images.

Figure 5: LookUX kernel looking for camouflage

In the / proc / / maps list, you will see some paths to study where the binaries are chained to receive their own or the library used. On top, we see the / tmp / [kworkerd] path, which is the high priority location to survey. You may also see the suspicious library, the reference to the hidden directory, and so on. Take a closer look, make sure you won’t miss anything! PID>

Camouflage encrypted disguised Linux kernel thread

Another way to expose the camouflage Linux kernel thread is to see if it displays binary files associated with the running process. Basically, you only use the technologies we discussed about recovering the deleted malicious binary files, but please check if you can get SHA1. If you return, then this is a normal process attempt to hide, not the kernel thread. The real kernel thread will not link to binary files that start their. If you only view / proc / / exec, you can quickly copy the process binary file on Linux. You can copy this file to a new location and have an instant snapshot of binary files that start the process. You can also use this link to get an instant value to check the database of known malware. The real kernel thread will not be able to get this data, only the top of the top of the top. pid>

In our case, we will use this knowledge to investigate suspicious PID 2121 as follows:

SHA1SUM / PROC / 2121 / EXE

Figure 6: SHA1 for obtaining Linux kernel camouflage attacks

Let’s restore binary and copy it to a place so that you can analyze it offline. With the following command, we will copy to / TMP / SUSPICIOSUS_BIN. Now, we have your own copy to prevent malware to try to self-defense itself:

CP / Proc / 2121 / EXE / TMP / SUSPICIOS_BIN

Figure 7: Restore suspicious Linux malware binary

If you want to automatically search the PID and get the Sha1 Attack of the Phakille, you can run the following command:

PSAUXWW | GREP [| awk ‘{print $ 2}’ | xargs-i% sh-c’echopid:%; SHA1SUM / PROC /% / EXE’2> / dev / null

The above command will try to get all the SHA1 with [Parentament] process, any return value may be a liar:

Figure 8: Script output of SHA1 for camouflage Linux kernel threads

Now, you have two reliability methods that use the Linux command line to investigate suspicious processes that try to disguise into kernel threads. After reading this article, you should know how to determine if the Linux system is invaded by hackers?